San Francisco DA Discloses City's Passwords

snydeq writes "The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's VPN. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case against Terry Childs. Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive. InfoWorld's Paul Venezia, who has been following the case closely, provides further analysis of the technical details in the city's case. 'By themselves, [the passwords] would not be enough to allow anyone to access the network via VPN,' Venezia writes, 'but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.'"

Re:Ah HA!

[WK2]

Why did the DA even have access to these passwords? Why were they not in hash form? Did Child's have anything to do with that part?

Passwords can be TOO strong.

[Jane+Q.+Public]

I attended a lecture some years ago by a Microsoft employee who was high up in their security structure.

He started his speech by asking the audience, "Passwords and policies should be made as strong and secure as possible, right?"

A show of many hands.

He said, "Wrong! It is possible for a password policy to be TOO secure. Let me give you an example. It is possible to set up a security policy in NT that requires a password of at least 8 characters, which must also be mixed case, have at least one numerical digit, and at least one non-alphanumeric character, and which will require a change of password every week."

"As soon as you implement that policy, users will write their password on a post-it note, stick it to their monitor, and replace it with a new one every week. So you see, a password policy CAN be too secure for your own good."

This is the tip of the iceberg

[xenophrak]

This is unfortunately par for our fine DA. Kamala Harris has proven herself to be an incompetent tool more often that I'd like to hear.

She has angered many San Franciscans by refusing to prosecute violent criminals, and lately, found to have been lax towards the city's worst crime of the year...the murder of a father and his two sons in the Mission by a suspected illegal alien due to the city's stupid sanctuary law.

She should be dragged out, tarred, whipped and ejected from the city, never to return.

Re:Ah HA!

[Hanzie]

Hey guys,

If you have any other opinions you'd really like entered into the public record, have at it. I'd say there's a very good chance that this discussion will be entered as evidence by the defense.:)

If anyone is counting, add my vote for the VPN passwords' disclosure being hard evidence that the IT admin was perfectly correct.

That and the fact that the SF network stayed up while the world's hackers KNEW that the network was completely unsupervised.

Frankly, if I were looking to hire somebody, I'd be chipping into this guy's defense fund. Speaking as a real-world IT manager, I'd say this guys judgement is spot on, and his admin skills are amazing.

In my own humble opinion, then SF DA's office is full of idiots.

hanzie.

For everyone who thinks Childs was right

[Zakabog]

Does anyone realize that the passwords would have never been given to the DA's office if it wasn't for his actions? The passwords would then not be part of public record. Do you think the person at the IT office would have made the list of passwords public if Childs left gracefully?

Someone at the the DA's office is the incompetent person in this case, but that does not validate his locking out of everyone competent enough to take care of the system (the people that would have replaced him at the IT department.)

Re:NEVERMIND!

[rahvin112]

It's government. To think like government in implementing something like VPN you have to conceive a solution that involves the user not having to do anything (other than maybe push a button) and this includes anything other than a standard login box. Second you have to implement this in a way that the user themselves can go home and implement this solution without any site help from anyone and zero technical knowledge. (you don't send an IT person to a State Employees home, that's asking from some kind of lawsuit). Fourth the solution must be as expensive as possible, support some local business (preferable if the business owner is connected politically with one of the local leaders) and require very few extra hours from the already overworked staff.

What does that result in? Hardware VPN boxes plugged into the network router, with the users computer plugged directly into the VPN box. Costs a lot, requires pre-configuration of the box but should require no site visits, idiots can usually successfully plug in boxes with phone support only and any reconfiguration likey requires the box to be brought back into the office as the VPN keys on the boxes are likely hard coded into a configuration on the VPN device. Likely a turn key solution so you have a hefty support contract and the vendor would likely assist with deployment and any reconfiguration resulting in a nice contract fee for reprogramming all the boxes.

My guess is some VPN box provider is going to be doing a service call on every box and netting themselves some nice profit under their support agreement.

Re:Then the users will change them right back

[AJWM]

Are you sure this guy hadn't called support to have his password reset? Because "password" sounds like something they might reset it to, and unlikely for someone to forget.

Re:RTFA

[masdog]

Do they even know what those "usernames" and "passwords" are for? Did they check any documentation or did they just assume that the list was a list of individual users and passwords that Childs could use to wreck havoc?

After reading the article, it seems like the list consists of Cisco VPN group names and pre-shared keys, not usernames and passwords. To someone who isn't familiar with the technology, it would look like a username and password, and I'm sure they are counting on the technological ignorance of the Judge and the general public to keep up this charade.

It will be interesting when this thing finally goes to trial. The city is probably going to end up eating its words.